MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6fdd9a50a2d96e6516d38fc90084cca38559705db75350d22e2abd31a8806b83. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 17

Intelligence 17 IOCs YARA 2 File information Comments

SHA256 hash:	6fdd9a50a2d96e6516d38fc90084cca38559705db75350d22e2abd31a8806b83
SHA3-384 hash:	0d158505e6b432fe7112331c40ffe49c355c61e907d58fcd08920ba77aca018ced3f8ad721a1fca79952fddff7050916
SHA1 hash:	b2522615cd8a6decba3f488d18a458d08724ae47
MD5 hash:	7ced3b500e08cc17a580314471648b7b
humanhash:	arizona-item-nebraska-fix
File name:	PAYMENT_.EXE
Download:	download sample
Signature	Formbook Create hunting rule
File size:	235'684 bytes
First seen:	2022-05-17 08:29:13 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep	3072:WfY/TU9fE9PEtuNEydTbMh19QCoWGJxdmwOovOf0VrJVJTpmecypUqEkK//rwjzx:AYa6DmDQCB8dHGf03zsSvEkBzbfWc8B+
TLSH	T1D034F1E4E352E4D3F9A34E304AB26E951FD862076037873727B1D956BD632D0BA1E312
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	332363132d353307 (6 x Formbook, 1 x SnakeKeylogger, 1 x Loki)
Reporter	cocaman
Tags:	exe FormBook payment

Intelligence

File Origin

# of uploads :

# of downloads :

230

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

PAYMENT_.EXE

Verdict:

Malicious activity

Analysis date:

2022-05-18 05:58:53 UTC

Tags:

formbook trojan stealer

Link:

https://app.any.run/tasks/d1ad0500-8451-4028-b4b3-931400f3f6a5

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/271410/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a window

Creating a process from a recently created file

Searching for the window

Сreating synchronization primitives

Launching the process to change network settings

Searching for synchronization primitives

DNS request

Sending an HTTP GET request

Reading critical registry keys

Launching cmd.exe command interpreter

Launching a process

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Unauthorized injection to a system process

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/18221/overview

Behaviour

MalwareBazaar

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

control.exe overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/62835d1f22b733139c2489b1/reports/0c221469-5f0e-48da-9d20-456eb8430b81/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6fcac99a-3e77-4c73-9b37-7941e318a41e

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/995549

Signature

C2 URLs / IPs found in malware configuration

Executable has a suspicious name (potential lure to open the executable)

Found malware configuration

Initial sample is a PE file and has a suspicious name

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Snort IDS alert for network traffic

System process connects to network (likely due to code injection or exploit)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/6fdd9a50a2d96e6516d38fc90084cca38559705db75350d22e2abd31a8806b83/

Threat name:

Win32.Trojan.LokiBot

Status:

Malicious

First seen:

2022-05-17 03:39:40 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 26 (88.46%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=n7ozuufc3fxgkfwtr7eqbbgmuocvs4c5w5jvburofk6tdkeanobq._file

Verdict:

malicious

Label(s):

formbook

Result

Malware family:

xloader

Score:

10/10

Tags:

family:formbook family:xloader campaign:u8pg loader rat spyware stealer suricata trojan

Link:

https://tria.ge/reports/220517-kdp51shde8/

Behaviour

Gathers network information

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Loads dropped DLL

Executes dropped EXE

Xloader Payload

Formbook

Xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

Unpacked files

SH256 hash:

521ebaca91950bb361b8225fda06c97e74001d0d04db68adb623f13febe48e59

MD5 hash:

2416f698ef9eeb3e70aee77ef8604492

SHA1 hash:

5f545573e8749b5f90beaeaa4f43d12aafaf8856

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/3945d172-7201-4ef2-9f32-02efc3556402/

Parent samples :

6fdd9a50a2d96e6516d38fc90084cca38559705db75350d22e2abd31a8806b83
92cf14ee9b60bbdce41136c1003889c98881e4cdff4886b892431e0936f5362a

SH256 hash:

8f08be2b6addc92836cc512237f5f78fe391cda59cf9b72fdf59bfc2c674f544

MD5 hash:

1528bedcc4c1087936a004fb292e6e6f

SHA1 hash:

450bb603d3f616bf977a13616a2c5001a8330e9f

Link:

https://www.unpac.me/results/3945d172-7201-4ef2-9f32-02efc3556402/

SH256 hash:

6fdd9a50a2d96e6516d38fc90084cca38559705db75350d22e2abd31a8806b83

MD5 hash:

7ced3b500e08cc17a580314471648b7b

SHA1 hash:

b2522615cd8a6decba3f488d18a458d08724ae47

Link:

https://www.unpac.me/results/3945d172-7201-4ef2-9f32-02efc3556402/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/6fdd9a50a2d9/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6fdd9a50a2d96e6516d38fc90084cca38559705db75350d22e2abd31a8806b83

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	malware_Formbook_strings Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Formbook in memory
Reference:	internal research